Stealing passwords is very easy at marp

greenspun.com : LUSENET : MARP Editors : One Thread

Examples of password stealing: I was able to steal some passwords by putting a "link" to a picture in my upload Description, back to my own site. Game Guru since he has a link to a picture back to his site undoubtably has my password on his sites logs, here are the passwords I was able to steal just by having my link, and i'm going to change mine right now, i sugest you do too, plf.

http://marp.retrogames.com/index.cgi ?prefix=ant &passwd=kepchut

http://marp.retrogames.com/index.cgi ?prefix=mhd &passwd=ka8nu7

http://marp.retrogames.com/index.cgi ?prefix=plf &passwd=gumper14a

http://marp.retrogames.com/index.cgi ?prefix=trd &passwd=tractin

http://marp.retrogames.com/index.cgi ?prefix=kid &passwd=chiara

http://marp.retrogames.com/index.cgi ?prefix=pdf &passwd=zz9pza

http://marp.retrogames.com/index.cgi ?prefix=jdl &passwd=twingal

http://marp.retrogames.com/index.cgi ?prefix=bs &passwd=agima9531

http://marp.retrogames.com/index.cgi ?prefix=ceh &passwd=sluggos

-- Anonymous, May 21, 2001

Answers

I'm curious gameboy, do you have a short cut with your password in the link? I know that's how my password got in there, but i wonder if not having a short cut will still forward the password. I guess it does if gameboy did not have a short cut with the password in the url... I wonder if we need to DE-HTMLize the descriptions to avoid this.... Since even if i changed my password now, Game Guru with the little fox url will still get my new password forwared to his site...

-- Anonymous, May 21, 2001

Gameboy asked me to try this again and i was able to get another plethora of passwords, just aas easy as the first time. I believe ALL form/get parameters are being forwarded by the python scripts, so the only real easy potentail fix is to strip html tags from descriptions when submiting uploads (actually this is probably a good thing anyway...) Strip anything inbetween "<"'s and ">"'s.

bbh, i got your password too btw... i wonder what kick that is from.

-- Anonymous, May 28, 2001


actually jus strip/replace < and > characters with [ and ], probably a better stripper.

-- Anonymous, May 28, 2001

Damn. This really ain't a good situation. How do we discourage people like Lame Guru from posting their stupid animated gifs (that usually have nothing to do with the game, why Pac-Man on a 19XX upload?), without giving away why it's frowned upon?

Oh, and mine came from KoF. It's a good thing I don't use that same password for anything else.

-BBH

-- Anonymous, May 29, 2001


We could ask people not to do it but they'll ask why and there's no good answer besides the real one.... of course even if we stripped they'll ask why and then we would tell them then game guru or the people that didn't know how to get the passwords will go back on their server logs and find them sitting there where they have always been.

Best thing to do is just strip: this i believe can be done in two python steps (1) a single retroactive sql statement update (to strip the < and > out of all descriptions) and (2) a post upload sql statement after every upload from python to auto edit the upload description.

I still don't know if bbh or gameboy had passwords in their urls to access marp (i know i did and i thought perhaps that was the cause), if either of you actually type your login and password in each time you use marp, then it's really something we'd have to fix in python.

Oh Wait, isn't there something you can do to a string in python before you output it to the page? I'll bet this might be easier than stripping, i'll bet python has a de-htmlize(string) so when the description is output, it won't process the html... it just displays the html source.

Well really the best way to fix this is to tell python not to forward the password in the get method, since even if we did this there's still an accidental chance that one of the editors clicks on the knockout page (whos server logs are in france somewhere) and gets their password forwarded to them.... it's not pretty.

well maybe it doesn't matter that much, since if we do find someone using someone elses password we can block them, but how much damage can they do before we notice?

-- Anonymous, May 29, 2001



This isn't pretty at all, is it!

It makes no different whether you use a shortcut or type your password each time. The MARP scripts use the URL to keep track of whether you're logged in or not. They should probably use cookies, or some such, but they don't. MARP was my first (and only) attempt at making a CGI script, and so there's quite a lot wrong with it.

Stripping < and > (and replacing with [ and ]) would stop in-lined graphics from giving the passwords away, but as you say, any links to external URLs will still be exporting the passwords. I've seen passwords on the counter sites before - the 'refering page' URL gets sent to any URL referenced from the MARP page, and the MARP page's URL contains login and password information.

I will take a look at using cookies, and disable HTML in descriptions (using an on-the-fly string replace) until this is done.

I can't FTP from the office. The fix is simple, so if one of you is willing to help out, here's what needs doing:

Thanks! Oh, and it's probably best if only one person does this... Chris.

-- Anonymous, June 04, 2001

wow, thanks chris! that should help! and we know it was your first attempt, it most certainly has done an excellent job from it's "side" project beginings. i can only suspect if python used "post" method form variables it might not send them as referer URL parts... but you're right the best way would be to use a cookie or persistant session# variable instead of the login/password pair. thanks for looking into it.

pat or pete: let me know when you upload the fix and i'll test it.

-- Anonymous, June 04, 2001


I made the change myself. It wasn't easy using just UNIX commands, but a series of 'head', 'tail', 'echo' and 'cat' commands seems to have done the trick...

Of course, all the '<BR>' line breaks that I put in when adding 'editor' comments to the end of user comments have stopped working, and just look silly now [BR].

Chad - do you have a good reference to cookies, session IDs, or whatever you think is the best way to fix this? What if I just changed all the 'GET's to 'POSTs'? Might that do it? In particular I would be interested to know exactly what URL you see in your sever logs - is in the 'mode=frames' one, or the 'mode=search' one?

Cheers.

Chris.

-- Anonymous, June 05, 2001


To work around the line breaks, I added 2 more lines, making the total change as follows:
            row_note = string.replace(row_note, '<', '[')
            row_note = string.replace(row_note, '>', ']')
            row_note = string.replace(row_note, '[BR]', '
') row_note = string.replace(row_note, '[br]', '
')
Chris.

-- Anonymous, June 05, 2001

I think a "new line" on html won't do anything, you might have to do row_note = string.replace(row_note, '[BR]', '
') etc. It's possible that changing the GET's to post may work but then it may not work for dumb people (like me) who have a link that uses the get method to initially login with a simple entry point URL with login and password embedded. I'll have to analyze the urls I get to see when and where i really get that stuff, the strange thing about the urls is that they always have the form variables in the SAME order, this is unusual because my dump entry point URL has the form variables in a completly different order than that. oh! i know why because the entry point url is the main frame, and you generate the lower search frame with a generated url search string always in the same order, that's why, so maybe GET method change will work.... I will email the full urls

-- Anonymous, June 05, 2001


oh yeah the "<"BR">" won't show up here, you're right chris :)

-- Anonymous, June 05, 2001

It turns out that I was already using the POST method exclusively.

Last night I made a whole bunch of changes so that the script now uses a couple of cookies (one for login, one for password) instead of passing the password around in the URL. If it finds a passwd= or prefix= in the URL it complains now and asks you to log in and update your bookmark.

Chad - I notice you use a 'special' URL to get a different starting page - you *should* be able to remove just the prefix=... and passwd=... bits (along with an ampersand for each) from your bookmark and still get what you got before.

MARP will no longer allow people with cookies disabled to log in. I don't know how big a deal this is - some people see cookies as an invasion of privacy (since advertisers can use them to 'profile' your browsing habits and target advertising appropriately).

Chris.

-- Anonymous, June 06, 2001


cookies have always been fabled to be an invasion of privacy, i think only paranoid people would turn them off and people that paranoid wouldn't be using computers connected to any public network. cookies are just a more efficient way of tracking web traffic, i never saw what harm could come to consomers more than like having a supermarket "discount" card that you have to scan in before purchasing a specially discounted item.

very nice work chris, it's working out well, i don't need my special url (and no one else should either) to login anymore, the computer stores the cookie and as long as i don't toss my cookies i don't have to type in the password and login/prefix anymore. and if i do toss them, i just need to login one more time to get the cookie back.

-- Anonymous, June 06, 2001


Moderation questions? read the FAQ